SECNAV launches plan to battle 'insider threats'

Cybersecurity effort likely means more training

Sep. 7, 2013 - 06:00AM
|

The Navy has a new plan to confront “insider threats” in the Navy and Marine Corps, and it will involve more scrutiny, better training and a team of top leaders to oversee its implementation.

Navy Secretary Ray Mabus issued an instruction in August that creates the Department of the Navy Insider Threat Program. The goal is to prevent cases like the data leaks by Army Pfc. Bradley Manning and former National Security Agency contractor Edward Snowden, and violence like Army Maj. Nidal Hasan’s shooting rampage at Fort Hood, Texas.

“With this instruction, Secretary Mabus has given the Department of the Navy its marching orders,” said Vice Adm. Michael Rogers, head of Fleet Cyber Command. “We need to do all we can to be aware of the threat, and take those actions necessary to reduce that threat.”

As head of the Navy’s cybersecurity arm, Rogers’ team of cyber warriors plays a critical role in fighting insider threats. But Rogers insists the threat is an “all hands” issue.

“All who serve within the Navy — active, reserve, officer, enlisted, civilian employees and contract support personnel — are put at risk by this threat, and all can help diminish that threat,” said Rogers, who responded to Navy Times’ questions via email.

The Navy’s program follows President Obama’s orders in November for executive agencies to develop standards to protect classified information and prevent acts of violence.

Mabus’ instruction defines an insider threat as a “person with authorized access, who uses that access wittingly or unwittingly, to harm national security interests or national security through unauthorized disclosure, data modification, espionage, terrorism, or kinetic actions resulting in loss or degradation of resources or capabilities.”

Rogers stressed that an ignorant sailor who fails to adhere to proper procedures can be just as dangerous as someone who knowingly leaks classified information.

“For example, a sailor or officer on a ship who plugs his or her cell phone or music device into the [Secure Internet Protocol Router] machine to charge it or uses another prohibited item in a USB port to transfer data can unintentionally do great harm by introducing viruses or malicious code onto a computer system,” Rogers said. “Such actions put sensitive information, our mission, and lives at risk by exposing the Navy’s network to vulnerabilities that could allow the adversary access.”

SECNAV's plan

Insider threats are not a new issue for the services, and the Navy and Marine Corps teach service members about the risks: using thumb drives, for example, or posting ship locations on Facebook. The services are also working on network upgrades, or as Rogers refers to them, “hardening measures.”

“The Insider Threat program will help bring some focus to those separate efforts, and put it all in terms that we in the military understand: Here’s the threat, and here’s what we must do to combat that threat,” Rogers said.

Mabus’ instruction includes orders to:

■ Ensure training and awareness programs are put in place and updated as necessary.

Over the next couple of months, the Navy will create an executive board to oversee implementation of the program, chaired by the fleet’s deputy undersecretary for plans, policy, oversight and integration. It will include three-star reps for the chief of naval operations and Marine Corps commandant.

It will be up to the commandant and CNO to track, review and catalog potential insider threats. These will be presented in an annual report to the SECNAV.

It remains to be seen what additional training and policies sailors will receive under the new program, but it will undoubtedly mean some changes.

Standardized policies will also make it easier to hold leadership responsible, Rogers said.

“This baseline will ... allow commanders to realize that they are responsible for enforcing cyber­security measures and will be held accountable for breeches and security violations,” he said. “In the long run, this insider threat effort is as much about changing the Navy’s culture with respect to cybersecurity in war fighting ... as it is about deterring the insider threat. The efforts go hand in hand.”